CVE-2026-32913
Improper Header Validation in OpenClaw Enables Sensitive Data Exposure
Publication date: 2026-03-23
Last updated on: 2026-03-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.7 and involves improper header validation in the function fetchWithSsrFGuard. Specifically, it forwards custom authorization headers during cross-origin redirects without proper checks.
Attackers can exploit this by triggering redirects to different origins, which allows them to intercept sensitive headers such as X-Api-Key and Private-Token that were intended only for the original destination.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive authorization headers, including API keys and private tokens.
This exposure can allow attackers to gain unauthorized access to protected resources or services by using intercepted credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know